11 



Control Predicates are Better 
than Dummy Variables for 
Reasoning about Program 
Control 



Leslie Lamport 



May 5, 1986 



Systems Research Center 



dec's business and technology objectives require a strong research program. The 
Systems Research Center (SRC) and three other research laboratories are committed to 
filling that need. 

SRC began recruiting its first research scientists in 1984 — their charter, to advance 
the state of knowledge in all aspects of computer systems research. Our current 
work includes exploring high-performance personal computing, distributed computing, 
programming environments, system modelling techniques, specification technology, 
and tightly-coupled multiprocessors. 

Our approach to both hardware and software research is to create and use real systems 
so that we can investigate their properties fully. Complex systems cannot be evaluated 
solely in the abstract. Based on this belief, our strategy is to demonstrate the technical 
and practical feasibility of our ideas by building prototypes and using them as daily 
tools. The experience we gain is useful in the short term in enabling us to refine our 
designs, and invaluable in the long term in helping us to advance the state of knowledge 
about those systems. Most of the major advances in information systems have come 
through this strategy, including time-sharing, the ArpaNet, and distributed personal 
computing. 

SRC also performs work of a more mathenoatical flavor which complements our systems 
research. Some of this work is in established fields of theoretical computer science, such 
as the analysis of algorithms, computational geometry, and logics of programming. The 
rest of this work explores new ground motivated by problems that arise in our systems 
research. 

DEC has a strong commitment to communicating the results and experience gained 
through pursuing these activities. The Company values the improved understanding 
that comes with exposing and testing our ideas within the research community. SRC 
will therefore report results in conferences, in professional journals, and in our research 
report series. We will seek users for our prototype systems among those with whom we 
have common research interests, and we will encourage collaboration with university 
researchers. 



Robert W. Taylor, Director 



Control Predicates 

Are Better Than Dummy Variables 

For Reasoning About Program Control 

Leslie Lamport 
May 5, 1986 



iii 



Copyright and reprint permissions: This work may not be copied or reproduced 
in whole or in part for any commercial purpose. Permission to copy in whole or in 
part without payment of fee is granted for non-profit educational and research purposes 
provided that all such whole or partial copies include the following: a notice that 
such copying is by permission of the Systems Research Center of Digital Equipment 
Corporation in Palo Alto, California; an acknowledgement of the authors and individual 
contributors to the work; and all applicable portions of the copyright notice. Copying, 
reproducing or republishing for any other purpose shall require a license with payment 
of fee to the Systems Research Center. 



iv 



Author's Abstract 

When explicit control predicates rather than dummy variables are used, the Owicki- 
Gries method for proving safety properties of concurrent programs can be strengthened, 
making it easier to construct the required program annotations. 



Capsule Review 

If the recipe for program verification is reduced to one sentence, it is "Use invariants." 
For a program that includes more than one process executing concurrently, the relevant 
invariant may involve private variables, shared variables, and the program counters of 
the different processes. The simple recipe becomes hard to follow, because it is difficult 
to factor the invariant into manageable pieces. 

This paper begins with a self-contained introduction to the basic methods for writing 
and verifying invariants of concurrent programs. The goal of these methods is to factor 
the global invariant into local pieces that are attached as annotations to points in the 
program text, and simultaneously to factor the proof of invariance into cases. The 
standard Owicki-Gries method and a strengthened version of it are considered in some 
detail. 

Two techniques are available for representing control state in the invariant: control 
predicates and dummy variables. At first it seems that the choice between the two is 
a matter of technical taste, but the paper argues that control predicates are compatible 
with the strengthened Owicki-Gries method, while dummy variables are not. 

Greg Nelson 
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1 Introduction 



The Owicki-Gries method, an extension to concurrent programs of Floyd's method [3] 
for proving partial correctness of sequential programs, was developed independently 
by Owicki and Gries [ 11 J and by us [8] . These two presentations of the method differed 
in two ways. First, Owicki and Gries used a conventional structured programming lan- 
guage while we used a flowchart language. This was a purely syntactic difference.^ The 
second, more significant difference, involved how control information is represented. 

In the Owicki-Gries method, as in Floyd's method, a program is annotated by attaching 
assertions to control points. The major part of the proof involves showing the invariance 
of the annotation [7]. In Floyd's method, the assertions mention only the program's 
variables. However, for concurrent programs, the assertions attached to one process 
must also refer to the control state of other processes — that is, they must be functions 
of the values of other processes' "program counters". The presentations in [11] and 
[8] differed in how dependence on the control state was expressed. In [11], Owicki 
and Gries avoided explicit mention of the control state by using dummy variables^ — 
variables introduced only for the proof — to encode control information. In [8], we used 
control predicates — assertions that explicitly mention the control state. 

Since control predicates can be simulated by dunomy variables, it appears that choosing 
between the two approaches is purely a matter of taste. We have preferred to use 
control predicates both for aesthetic reasons and because they are necessary for certain 
extensions of the method [10]. However, when applying the standard Owicki-Gries 
method, there seems to be no basic difference between the two approaches. 

In this paper, we show that there is a real difference between control predicates and 
dunnmy variables. Although dunnmy variables can represent the control state, the 
implicit nature of this representation limits their utility. The use of explicit control 
predicates allows a strengthening of the ordinary Owicki-Gries method that makes it 
easier to write annotations. 

Our strengthening of the Owicki-Gries method eliminates a well-known weakness in 
the original method. Assertional methods for proving safety properties involve proving 
the invariance of an assertion. In the Ashcroft method [1], one writes a single global 
assertion; in the Owicki-Gries method, the global assertion is decomposed into an 
annotation of the program. It often happens that when the global invariant used in an 
Ashcroft-method proof is decomposed in the obvious way, the original Owicki-Gries 
method cannot prove its invariance; a different and often more complicated annotation 
must be used. This is not the case with the strengthened version. If the Ashcroft method 
can prove invariance of a global assertion, then the strengthened Owicki-Gries method 
can prove the invariance of the corresponding annotation. 

'The syntax used by Owicki and Gries suggested that they were extending Hoare's method [4], but this 
was not the case. See [10] for a generalization of Hoare's method to concurrent programs. 

^They have also been called "auxiliary variables", "ghost variables", and "thought variables". 
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Strengthening the Owicki-Gries method makes it easier to construct proofs; it does 
not change what can be proved. The global invariant used in an Ashcroft- style proof 
can always be translated into a proof with the original Owicki-Gries method by simply 
attaching the global invariant to all control points, though of course this defeats the 
whole purpose of the method, which is to decompose the invariant. Moreover, even 
though the original Owicki-Gries method fails on one simple decomposition of the 
invariant, there may be another equally simple decomposition for which it does work. 
What we claim is that using the strengthened method requires less cleverness than using 
the original method. Finding the proper annotation to prove a property of a concurrent 
program is a difficult art; anything that makes the task easier should be welcome. 

Section 2 examines two simple algorithms. The first illustrates the Ashcroft and 
Owicki-Gries methods and shows why control predicates can permit a simpler program 
annotation than dummy variables. However, it does not convincingly demonstrate the 
need for control predicates because an extra lemma allows the same proof to be written 
with dummy variables. In Section 2.5, another algorithm is considered, and a proof 
using control predicates is given that cannot be so easily rewritten as one using dummy 
variables. 

To simplify the exposition, we consider n-process programs of the form 

cobegin Do D . . . D n„_i coend 
with each process n, consisting of a sequence of statements 

{Si);{S2);...;{Sk) 

where the angle brackets denote atomic operations. The atomic statements { 5, ) are 
either ordinary assignment statements or statements of the form 

( when b do S) 

This is a synchronization primitive that causes the process to wait until the boolean 
expression b is true, whereupon it executes S as an atomic action. Thus, the semaphore 
operation P(s) can be represented as 

( when s>Odos:=s — 1) 

Since we are concerned only with safety properties, it does not matter whether one 
assumes any fairness properties of the when statement. However, it is important that 
the evaluation of b and, if it evaluates to true, the subsequent execution of 5 are a single 
atomic action. 

By restricting attention to such "straight-line processes", we avoid some irrelevant 
issues raised by branching and looping constructs. These constructs are discussed in 
Section 3.4. 
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a,-: (x; := true }; 

Pi : ( when do skip ) 

csi : { critical section ) 

Si', {xi := false ) 

Figure 1: A simple algorithm — process fs program. 

2 Examples 

2.1 A Simple Example 

We begin with a simple algorithm containing two processes, numbered 0 and 1. The 
program for each process ; is shown in Figure 1, where © denotes addition modulo 2. 
This algorithm is a simplified version of a popular mutual exclusion protocol. (In 
simplifying it, we have eliminated almost all semblance of a real mutual exclusion 
algorithm.) We assume that process fs critical section statement does not modify jc, or 

The property to be proved for this program is that both processes are not simultaneously 
at their critical sections. For any label X, let at{X) be the control predicate that is true 
if and only if the process's control is at the point labeled X. We must prove that 

-^{aticso) A at{cs\)) is always true. 

In any assertional method, one shows that an assertion P is always true by exhibiting 
a global assertion / such that: 

1 . / is true of the initial state. 

2. / implies P. 

3. / is invariant — that is, any program step executed with / true leaves it true. 
In our example, P is the assertion ^{at{csQ) A at{cs\)). 

2.2 The Ashcroft Method 

In the Ashcroft method, one simply writes the global assertion / as a single formula. 
For our example, let / be the assertion 

-^(at(cso) A at(csi)) A /\ (ati^i) v aticst)) =^ x,- (1) 

1=0, 1 

where =>■ denotes logical implication. Initially, both processes are at control point a, 
and / is trivially true, so condition 1 holds. Condition 2 is obvious, so we need prove 
only condition 3 — the invariance of /. 
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The in variance of / means that executing any atomic action of the program starting with 
/ true leaves / true. Let ( A, ) denote the atomic statement with label k. To prove the 
invariance of / we must prove {/}( A ){/} for every atomic program statement X, where 
{P]{X){Q] is the Hoare logic formula asserting that if { A, ) is executed with P true, 
then Q will be true after its execution [4]. (By definition of atomicity, an atomic action 
can be executed only if it terminates.) Note that, unlike the Hoare logic ordinarily used 
for sequential programs, we allow pre- and postconditions to contain control predicates. 

Verifying {I}{X){I} for each atomic operation (A) in the program of Figure 1 is 
easy. There are four atomic operations in each process, so there are eight formulas to 
check. However, since the two processes are identical except for the value of the 
corresponding operations in both processes can be handled together, leaving only four 
formulas to verify. We will verify {/}( /3, >{/}, which is the most interesting one; the 
reader can check the others. 

Since statement ( yS,- ) can be executed only if a?(/3, ) is true, and at(csi) must be true after 
it is executed, to prove {/}( A >{^}> it suffices to prove {/ A a/(/^,)}( yS, ){/ A af(cs,)}. 
Simple logical manipulation shows that 

/ A atiPi) = at(fii) A Xi A [(atiPi^i) v at{csi^i)) =^ 
/ A at(csi) = at(csi) A Xi A -^aticsi^i) A (ar(j8,®i) =>■ 

We must therefore show 



Executing ( ^ ) does not change the value of any program variable or of the control 
state of process / ® 1, so the only part of the postcondition that is not immediately 
obvious is —'at(csi^i). Statement (y3, ) can be executed only when equals false, 
and the precondition implies that, in this case, at{csi^i ) must also be false. Hence, after 
executing ( /3, ), at{csi^i) is false, which proves (2). Formal proof rules for deriving 
this kind of formula are given in Section 3.1. 

2.3 The Strengthened Owicki-Gries Method 

In the Owicki-Gries method, the invariant is written as a program annotation. An 
annotation in which, for every X, assertion is attached to control point X represents 
the assertion 



To reformulate the proof above in the Owicki-Gries method, using control predicates, 
we must write the invariant (1) in the form of (3). Using the equivalence 



{at(Pi) A Xi A [(ar(A®i) V at(csm)) =^ x^]} { A > 
{at{csi) A Xi A ^at{csi^i) A {at(fii^i) =^ 



(2) 




(3) 



-'(at(cso) Aat{csi)) = ^ {at{csi) ^ -•aticsi^i)) 

1=0,1 
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ar. 

[xi] fir. 
{Xi A ^at{csi^\)} csr. 

Sr. 



(x; := true); 
{ when do skip ) 
{ critical section ) 
(x; := false ) 



Figure 2: Annotation of process i's program. 



(1) can be written as 

/\ (af(A) ^ Xi) A (at(csi) ^ (xi A -■a/(c5,ei))) 

(=0,1 

This assertion is expressed as the program annotation of Figure 2. 

In the original Owicki-Gries method, the invariance of the assertion / defined by (3) is 
proved by verifying the following two conditions for each atomic statement ( A, ), where 
A,+ denotes the control point immediately following ( A ). 

Sequential Correctness: {I^}{ X ){/^ } 

Interference Freedom: For every control point v in a different process from k: 

[rAi^}{x){n 

Sequential correctness asserts that executing ( A, ) starting with (the assertion attached 
to A) true makes I^^ true. Interference freedom asserts that, for any control point v in a 
different process, if ( A ) is executed starting with both and /" (the assertion attached 
to v) true, then the execution leaves /" true. Since execution of ( A ) is possible only 
when control is at A, and that execution leaves the process's control at A+ and does not 
change the control point of any other process, so these two conditions imply {/}( A ){/}. 
Thus, proving these conditions for every statement ( A ) proves the invariance of /. 

Proving sequential correctness for all the atomic actions in a process involves a standard 
Floyd-method verification of that process's annotation. For our example annotation 
of Figure 2, proving sequential correctness for ( /3, ) requires proving the following 
verification condition: 

{xi}{Pi){xi A^at{cSiQi)} (4) 

This cannot be proved. Looking only at process i, there is no reason why an execution 
of ( Pi ) starting with x, true should finish with at{csiQ\ ) false. 

The Owicki-Gries method can be strengthened by allowing the use of the other process' s 
annotation in proving sequential correctness. To prove sequential correctness for a 
statement ( A ) of one process, we may assume, as the precondition for ( A ), not just that 
is true but that the assertion / defined by the entire annotation is true. In particular, 
we can assume that each other process is at a control point whose attached assertion is 
true. Let Ij be the assertion determined by process j 's annotation, so 

Ij = (atiPj) =>■ Xj) A {at{csj) =>■ {Xj A ^aticsj^i))) 
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a,-: {xi := true}; 

{xi } ft : ( when -■x,-®! do acsi := true ) 

{Xi A —'acSiQi} csi'. (critical section; acSi := false) 

Si', (x; := false ) 

Figure 3: Annotation of process i with dummy variables. 

When proving sequential correctness for (ft ), we may assume the truth of 7,®!, the 
annotation of process i ®l. Therefore, instead of proving (4), we need prove only the 
weaker condition: 

{xi A ( ft- ) {xi A -.af(ci,ei)} (5) 

This condition can be verified, since implies that if x,®i is false (the only case 
in which (ft } can be executed) then at{csi^i) must also be false. In fact, except for 
lacking the obvious hypothesis at{Pi), the precondition of (5) is the same as that of (2), 
and the postcondition of (5) is part of the postcondition of (2). 

Sequential correctness for the other atomic operations is easily verified, and the only 
nontrivial interference-freedom condition to be proved is that executing ( ft- ) does not 
falsify the assertion attached to cs,®i . This involves verifying 

[xm A ^at{csi) A Xi) { ft- ) {x,-®i a ^at{csi)} 

which is true because ( ft- ) cannot be executed when is true. (The formula 
{P}( A, }{ <2} asserts that every possible execution of ( A. ) starting from a state in which 
P is true terminates with Q true, so it is vacuously valid if ( A ) cannot be executed 
when P is true.) 

2.4 The Owicki-Gries Method with Dummy Variables 

Let us now try to reformulate the proof above using dummy variables instead of 
control predicates. The first problem we encounter is that our correctness condition, 
that -'(a/(cso) A at{csi)) is always true, is a control predicate. We therefore have to 
introduce a dummy boolean variable acst to represent the control predicate at{csi), 
where acsi is set true by (ft- ) and set false by {csi ). This leads to the annotated 
program of Figure 3. 

Let us consider the proof of sequential correctness for statement ( ft ) . The verification 
condition corresponding to (5) is 

{xi A 7,-01 } ( ft- ) {xi A -■aci,-®i } (6) 

where is the assertion 

(aKfim) ^ Xi^i) A [aticsi^i) =^ (x,-®i a ^acsO] 
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that corresponds to the annotation of Figure 3 for process We cannot verify (6). 
The assertion implies that aticsi^i ) is false when x,®i is false; it does not imply 
that acsi^\ is false when x,-0i is false. Even though we introduced the variable flc.y,-®! 
to represent the control predicate a/(cs,©i ) , they are formally different. The implication 
at(cSiQi) =^ x,®i can be obtained directly from the annotation of process i ®l. The 
implication acsi^i ^ x,0i, which is needed to prove (6), is not obtainable directly 
from the annotation. 

There are two ways to correct this problem. The first is to attach to each control point of 
the program the additional assertion acsi^i ^ x,©i. (More precisely, this assertion is 
conjoined with each of the assertions in the annotation, including the implicit assertion 
true at control points a, and 5, .) The resulting annotation can then be verified with the 
original Owicki-Gries method. 

One can always convert an Ashcroft-method proof to a proof in the original Owicki- 
Gries method with dummy variables by strengthening the assertions. Indeed, this 
can be done quite trivially by attaching the global invariant to every control point, 
replacing control predicates with dummy variables. However, the whole point of the 
Owicki-Gries method is to break the large global assertion of Ashcroft's method into 
the simpler local assertions of the annotation, making the invariant easier to understand 
and to verify. If this requires more complicated local assertions, then the Owicki- 
Gries method may not offer any advantage. In our example, most people would 
probably prefer the Ashcroft proof to the Owicki-Gries proof with the extra assertion 
acsi^i =^ x,0i added to all control points. 

The second way to fix the problem is to prove a lemma stating that, if the program 
is started in a proper initial state, then acs,®i =>• is always true. Such a lemma 
is easily proved with the original Owicki-Gries method. This is the better approach 
because, in the spirit of the Owicki-Gries method, it breaks the proof into small parts. 
The use of such lemmas is described by Schneider in [12]. However, while possible in 
this case, an Ashcroft method proof cannot always be converted by a simple lemma to 
an Owicki-Gries method proof with dummy variables. In the next section, an example 
is given in which the use of dummy variables instead of control points forces one to 
use a different annotation. 

2.5 Another Example 

Our second example is a highly simplified version of a mutual exclusion protocol used 
in [6]. It is an n -process program, with processes numbered 0 through n — 1, whose 
process is given in Figure 4 with its annotation. The shared variables x and y are of 
type integer, with y initially equal to — 1 . The assertion P, in the annotation of process i 
is defined to equal 

yj ^ i : (--at(csj)) A [(at(yj) v at(Sj)) =^ x ^ j] 
With the ordinary Owicki-Gries method, proving sequential correctness of this annota- 
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a,-: (x := ; } 

)8,-: ( when y = —I do skip } 

Yi- {y-=i ) 

{x = i =>■ y / — 1 } Si'. { when x = ; do skip ) 

{ Pi } csi : ( critical section ) 

[Pi] er. {y:=-i) 

Figure 4: Process i of another mutual exclusion algorithm. 

tion for statement ( 5, ) requires proving the following condition: 

{x = i^y^-l}{Si){Pi] 

This is not directly provable, since the postcondition asserts (among other things) that 
in no other process j is control at control point csj , which cannot be inferred from the 
precondition. However, in the strengthened method, we are allowed to assume in the 
precondition that the assertion determined by every other process j 's annotation is true. 
Letting Ij denote this assertion, so 

Ij = [at(Sj) =^(x=j^y^ -1)] A [at(csj) =^ Pj] A [at(€j) =^ Pj] 

it suffices to prove the weaker condition 

{(x=i^y^ -1) A at(Si) A A,-^,. /,}( Si ){Pi} 

This formula follows from the observation that at {Si ) A Ij implies that, if aticsj ) is true, 
then X / i and statement ( 5, ) cannot be executed. 

The verification of the other sequential correctness conditions and of interference free- 
dom is straightforward and is left to the reader. 

In this example, the proof of sequential correctness for ( 5, ) requires assuming that, if 
another process 7 is at control point csj , then the attached assertion Pj is true. However, 
sequential correctness for ( 5, ) proves that P, is true when process / reaches control 
point cSi . Thus, we are using an induction argument, showing that if every other process 
that has already reached control point csj did so with Pj true, then P, will be true when 
process i reaches cs, . 

In the previous example, the information contained in the annotation of another process 
needed to prove sequential correctness could be established separately as a simple 
lemma. We now indicate why this is not the case here. In the sequential correctness 
proof, the information obtained from the annotation of process j is exactly the result 
we are trying to prove for process ;. Assuming the truth of the assertion Ij in the 
sequential correctness proof for process / is analogous to assuming, in an ordinary 
proof by mathematical induction, that the desired result is true for all j < i and proving 
that it is true for Trying to replace the assumption that Ij holds for j / ; by a lemma 
would be like trying to replace the induction assumption that the theorem is true for all 
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j < i by a lemma, which cannot be done because proving the lemma is equivalent to 
proving the original theorem. 

The correctness of the annotation of Figure 4 cannot be proved with the original form 
of the Owicki-Gries method, and thus this proof cannot be translated into one using 
dummy variables instead of control predicates. A different annotation is required when 
dummy variables are used. 

In writing a proof of this algorithm for the original version of [6], we were unable to 
find a simple annotation that could be proved invariant with the original Owicki-Gries 
method, and we were forced to introduce the extended method to give a simple proof. 
Afterwards, J. Misra discovered a proof as simple as ours using dunomy variables and 
the original Owicki-Gries method [2]; we intend to use his proof in the next version 
of [6]. We do not know if it is always possible to construct a simple proof with the 
ordinary Owicki-Gries method, but we do know that it is not always easy. 

3 The Formalism 

The discussion of the examples in the preceding section included an informal expla- 
nation of how one applies the Owicki-Gries method using control predicates in the 
annotation. In this section, we develop a formalism that justifies our informal reason- 
ing. For now, we continue to consider only simple straight- line multiprocess programs. 
Section 3.4 discusses the extension of the formalism to other control structures. 

3.1 Hoare Logic with Control Predicates 

To prove that a program n leaves invariant a global assertion 7, one must prove the 
Hoare logic formula {/}( A ){/} for every (atomic) statement ( A ) of O. (This can be 
viewed as either the definition of invariance or an application of the Decomposition 
Principle of [lOJ.) 

The presence of control predicates in P and Q makes the formulas A, fun- 
damentally different from ordinary Hoare triples. The Control Predicate Hoare Logic 
(CPHL) for reasoning about these formulas is therefore different from ordinary Hoare 
logic. Consider the statement 

a, : (x := / ) from the program of Figure 4. If the assertion P does not mention 
the variable x, then the ordinary Hoare formula {P}x :— i{P} is valid, but the CPHL 
formula { P} ( a, ) { P} need not be valid. For example, even though the predicate at{aj ) 
does not mention x, the formula {af(Q!y)}( a,- ){at{aj)} is valid only if j ^i; it is invalid 
when j — i because executing (a,- ) makes atiaf) false. 

CPHL subsumes ordinary Hoare logic through the following rule. 

Subsumption Rule: For the statement A: ( 5 ), the validity of the ordinary Hoare 
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logic formula {P}S[Q} (where P and Q do not contain control predicates) implies 
the validity of the CPHL formula {P}{ k }{Q}. 

Using the subsumption rule, we can derive the following CPHL rule from ordinary 
Hoare logic: 

when Rule: For the statement X: { when b do S), the validity of the ordinary 
Hoare logic formula {P}S{Q} implies the validity of {P v X }{Q}. 

Given the axioms and rules of ordinary Hoare logic, the subsumption rule captures 
the semantics of atomic language constructs. Ordinary Hoare logic also has rules that 
are independent of the language constructs. These rules, as listed below, are included 
in CPHL. (They differ from the corresponding rules of ordinary Hoare logic only in 
allowing control predicates in the pre- and postconditions.) 

Rule of Consequence: li{P]{X){Q], P' =^ P, and Q ^ Q',then{P'}{X){Q'}. 

Disjunction Rule: If {P}{X){Q} and {P'}{X){Q'}, then 
{Py P'}{X}{Qv Q'}. 

Conjunction Rule: If {P}{X){Q} and {P'}{X){Q'}, then 
{PaP'}{X}{QaQ'}. 

Thus far, all our CPHL rules are derived from ordinary Hoare logic rules. Reasoning 
about control predicates requires the following additional rules and axioms. Their 
soundness is self-evident. Recall that A,+ denotes the control point immediately follow- 
ing statement (X). 

Control Axiom: {at{X)} {X) {at{X'^)] 

Noninterference Axiom: If v is a control point in a different process from ( X ), 
then {at(v)] ( X ) {at(v)] 

Locality Rule: If [P A at{X)} {X){Qa at{X+)} then {P}{ X ){Q}. 

Note that the converse of the Locality Rule follows from the Control Axiom and the 
Conjunction Rule. 

In addition to these rules and axioms, we need axioms for proving simple formulas 
about state predicates. For example, we must be able to prove that, if v and fj. are 
different control points in the same process, then at{v) A at(pL) = false. Such axioms 
are given in [7] for a more complicated language; we do not consider them here. 

Observe that CPHL has no equivalent to the Rule of Composition of ordinary Hoare 
logic — the rule for reasoning about the ";" construction. The semantics of the ";" are 
given by the Control Axiom, together with the implicit rule for calculating 1+. (For 
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example, in the program of Figure 4, we know that a,. = /3, .) As we shall see, it 
is characteristic of CPHL that flow of control is specified by relations among control 
predicates rather than by the special inference rules of ordinary Hoare logic. 

As an illustration of how the rules of CPHL are applied, we sketch the formal proof of 
(5) from our first example. By the Rule of Consequence and the definition of it 
suffices to prove 

{Xi A (at(csi(s\) Xiei)} ( ft- > {xi A -■af(cs,ei)} 

Expressing the precondition as a disjunction and applying the Disjunction Rule reduces 
the problem to proving the following two conditions: 

{xi A x,ei } ( A ) {xi A -■a?(cs,ei )} (7) 
{xi A ^at(csm)] { Pi ) {xi A -.aKc^iei)} (8) 

Formula (7) follows from the Rule of Consequence and the formula 

teeiKA- ){false] 

which is a consequence of the when Rule (with/ate substituted for both P and Q). 
To prove (8), we apply the Conjunction Rule to break it into the two conditions: 

{Xi}{Pi){Xi} 

The first follows from the proof rule for the when statement. To prove the second, we 
use the equivalence 

^aticsi^i) = ar(a,®i) v at(fim) v ar(5,®i) v after{Si^i) 

and the Disjunction Rule, and we apply the Noninterference Axiom four times. 



3.2 The Strengthened Owicki-Gries Method 

We assume an n-process program n with processes Flo, . . . , n„_i . We let v e n mean 
that V is a control point of n, and similarly v e n, means that v is a control point of 
process 11,. 

In the Owicki-Gries method, the invariant / has the form 

where I" is the assertion attached to control point v. Let Ij denote Ayen ^ 
the assertion represented by the annotation of process n^. If (1 ) is a statement of 
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process n,, then 

atik) A I = at{X) A A /\ Ij 
at{X+) A I = at{X+) Al^^ A /\ Ij 

Thus, by the LocaHty Rule, the Control Axiom, and the Conjunction Rule, to prove the 
invariance condition {/}( A ){/} it suffices to prove: 

U'aA,-^,/,}(a){/^VA,-^,/,} (10) 

In the standard Owicki-Gries method, one applies the Conjunction Rule to break the 
verification of (10) into two parts: 

(11) 

Wj ^iWv e Ylj : [I^ A {at{v) ^ /")} (A ) {at{v) ^ I"} (12) 

Condition (11) is sequential correctness for (A.). Toverify (12),wewritea?(v) =>• /"as 
/" V -^at{v) and apply the Disjunction Rule and the Rule of Consequence to decompose 
it into the problem of verifying the following two conditions: 

Vj/jVven,-: {I^An{X){n (13) 
Vj / J Vv e : {--at{v)] {k} {^ativ)} (14) 

Condition 13 is interference freedom. Since -'Miv) = V/ien ^^v^'^Cm) (because 
control must be somewhere in process j), formula (14) follows :^rom the Disjunction 
Rule and the Noninterference Axiom. 

Formulas (11) and (13) represent the sequential correctness and interference freedom 
conditions of the standard Owicki-Gries method. Since our goal is to prove the invari- 
ance of /, it is easy to see that we can weaken these conditions (by strengthening their 
preconditions) as follows: 

Weak Sequential Correctness: {/^ A /\-^^ Ij}{k) {I^^} 

Weak Interference Freedom: 'ij^^^iVve Ylj : 
{I^ A F Aat(v) A f\^^, . h} 

It is this weak sequential correctness condition that we used in our two examples. 
The weak interference freedom condition is weaker than (13) because, to prove that 
executing the statement ( A, ) of process i leaves invariant the assertion /" attached to 
process j , we are allowed to use the additional hypothesis that, for any third process k, 
the assertion 4 defined by the annotation of process k is true. 

We did not need the weak interference freedom condition in our two examples. (In- 
deed, except for the extra hypothesis at{v), it is the same as the original condition (13) 
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when there are only two processes, as in our first example.) In most of the concurrent 
algorithms that we have studied, safety properties can be proved by considering the 
processes two at a time, so the stronger postcondition employed in the weak interfer- 
ence freedom condition does not help. However, as the examples indicate, the weak 
sequential correctness condition is very useful. 

3.3 Equivalence to the Ashcroft Method 

We now show that the strengthened Owicki-Gries method is as powerful as the Ashcroft 
method. More precisely, we prove that, given an assertion / of the form (9), the CPHL 
formula {I]{X){I] that must be verified (for all A.) with the Ashcroft method is provable 
if and only if the weak sequential correctness and interference freedom conditions for 
X are provable. The proof assumes the ability to prove simple logical equivalences 
among predicates. This means that, barring some pathological weakness in the ability 
to reason about predicates, an annotation can be proved correct with the strengthened 
Owicki-Gries method if and only if the corresponding global assertion can be proved 
invariant with the Ashcroft method. 

We showed above that the two weak verification conditions of the extended Owicki- 
Gries method imply the Ashcroft method condition {I}{k}{iy, we now show the 
converse. Recall that/j = Aven ('^^C^) =^ so / = /\j Ij. Our proof is based upon 
the equivalence 

ij^y (ativ) A n (15) 

which follows from the observation that ^VueHj = true and, for any v, IJ. € Tlj 

with V ^ fi: at{v) A at{fi) = false. 

Assume {/}( A ){/}. From the Control Axiom, the Conjunction Rule, and the observa- 
tion that /, A atik) = A at{X), we infer 

{I"- Aat{X)A/\.^,Ij}{X){I} (16) 

The weak sequential correctness condition now follows from the Locality Rule and the 
Rule of Consequence. 

To prove the validity of the weak noninterference condition, we use (15) to substitute 
for Ij and apply the distributive law for the logical operators to rewrite (16) as 

{ Aven, A am A I' A at(v) A \J^^,. h}{X) {/} 

The weak noninterference condition now follows from the Locality Rule and the Rule 
of Consequence. 
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3.4 Other Control Structures 



To indicate how sequential control structures are handled, we consider first the while 
statement. Suppose a process contains 

while P:{b) do a:S od; y: ... 

where y6, a, and y are labels and S is any sequence of statements. The angle brackets 
indicate that the evaluation of the expression is a single atomic action. The evaluation 
of b is one of the atomic operations of the program; to prove the invariance of an 
assertion /, we must show this evaluation leaves / true. In other words, we must prove 
the CPHL formula {/)( ){/}, where ( ) denotes the evaluation of the condition in 
the while statement. 

Ordinary Hoare logic includes only formulas {P]S{ Q] in which 5 is a complete state- 
ment; it has no such formulas as {/}( y6 ){/} where ( } is a while-statement test. The 
need for these formulas is not surprising, since the Owicki-Gries method generalizes 
Floyd's method rather than Hoare's method, and Floyd's method has a proof rule for 
flowchart "test" boxes. (The generalized Hoare logic of concurrency, described in [10], 
does not have these Floyd-like rules.) 

The proof rule for the while test ( /3 ) is complicated by the fact that, after its execution, 
control is either at cr or at y. Hence, there is no unique successor control point j8+. 
It is useful to define the control predicate after{X) to be true if and only if control is 
immediately after the statement or test { A, ). For an assignment or when statement, 
after{X) = at{k+). However, for the while statement above, after{P) = at{a) v at{y). 
The control axiom is strengthened to 

{at{X)} { X > [afteriX)] 

which is equivalent to the one given above when ( 1 ) is an assignment or when 
statement. 

All our rales for reasoning about concurrent programs, including the strengthened 
Owicki-Gries method for proving invariance, remain valid if we define 

/^^ = (flf(cr) I") A (atiy) ^ F) 

when ( y6 ) is the while test above. To enable us to prove CPHL formulas for the atomic 
action p, we need the following axiom: 

while Test Axiom: If P contains no control predicates, then 

{P}{P) {(af(o-) aP Ab)v (atiy) aP A ^b)} 

This axiom does not completely define the semantics of the while statement; additional 
axioms are needed to specify the flow of control. We already mentioned one such 
axiom: after{P) = at{a) V at{y). This asserts that, after executing the test, control 
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goes to either aory. We also need to specify that, after executing S, control goes back 
to p. Define after(S) to be after(k), where A,: ( 5„ ) is the last statement in the list S 
of atomic statements. The axiom after(S) = at{P) asserts that control loops back to fi 
after executing the body of the while statement. The semantics of the while statement 
are captured by the while Test Axiom and these two axioms about control predicates. 

Other sequential control structures are handled similarly. For example, consider the 
statement 

if p:{b) then a:S fi; y: ... 

The axiom for the test { y3 ) in this statement is identical to the while Test Axiom above. 
The flow of control axioms are: after(P) = at{a) v at{y) and after(S) = at(y). 

Observe that the only difference in the axioms for the while and if statements are in 
the axiom for after (S). This reflects the fact that the only difference between the two 
statements is that, after executing S, the while loops back to the beginning and the if 
continues to the following statement. In CPHL, flow of control is described by relations 
among control predicates, not by special inference rules. 

One can also extend the Owicki-Gries method to programs having any process structure 
that can be expressed with nested cobegin statements. In this case, the interference 
freedom condition must be generalized by letting v range over all control points in 
concurrently active processes. (These control points are determined syntactically.) 
Control predicate axioms assert that control is at the beginning of each clause (process) 
when it is at the beginning of the cobegin, and control is at the point immediately 
following the coend when it is at the end of each clause. Care must also be exercised 
in defining and /^^ for the control points inmiediately before and after the cobegin 
when applying the method. 

4 Discussion 

We have shown how the Owicki-Gries method can be strengthened by using weaker 
sequential correctness and interference freedom conditions. The significant change is 
the weaker sequential correctness condition, which permits the use of information from 
other processes' annotations. This strengthening is useful only when control predicates 
appear in the annotation; it is of no benefit if the control predicates are replaced by 
dummy variables, as in the method originally advocated by Owicki and Gries. Unlike 
the original Owicki-Gries method, the strengthened version has the property that it 
works for any annotation that represents an invariant assertion. 

When expressed formally, the weak sequential correctness and interference freedom 
conditions are more complicated than the original ones (11) and (13). However, this 
is a welcome complication because it adds hypotheses to the precondition of a Hoare 
formula. In practice, one adds only those extra hypotheses that are useful. (Formally, 
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this means applying the Rule of Consequence.) 

The significant distinction between control predicates and dummy variables is not 
between predicates and variables, but between control and "dummy". When proving 
properties of concurrent programs, one must reason about the control state. Although 
dummy variables can be used to represent the control state, the lack of a formal 
connection between these variables and the control predicates that they represent limits 
their utility. 

As mentioned in [9] , control predicates can be viewed as implicit variables. (We prefer 
the term "implicit" to "dummy" or "auxiliary" because these variables represent a 
part of the program state that is just as real as that represented by ordinary variables; 
they differ from ordinary variables only in that the programming language provides no 
explicit mechanism for representing their values.) Relations among control predicates, 
such as after(fi) = at(a) V at{y), become aliasing relations among these variables. 
Our Control Predicate Hoare Logic can be obtained by extending the ordinary Hoare 
logic to handle aliasing relations (as in [9]) and assertions containing implicit variables. 

Considering control predicates to be implicit variables can provide a more elegant 
formal justification of the Owicki-Gries method, but it does not change the way the 
method is used to reason about specific programs. This formal approach works best 
with the generalized Hoare logic of concurrency. It provides one of the techniques used 
in [5] to define a formal semantics for concurrent programming languages. 
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